A repository for info that otherwise would have leaked out of my synapses.

Tag Archives: ApplicationXtender

Time again for another adventure in upgrading ApplicationXtender… this time to the much awaited 6.x release family. Although not a revolutionary release, it is much welcome owing to the following architecture changes:

Web Access Thumbnail viewer is now a Silverlight control instead of a Java applet (a dubious improvement).

The DiskXtender image repository now implements (and AX now supports) the use of Authenticated RPC calls, instead of the unforgivable unauthenticated and unencrypted RPCs used in previous versions of the software. However, this “improvement” not withstanding, we will be discontinuing the use of DiskXtender with this upgrade. When you look at actual implementation details, use of CIFS/SMB2 offers us equivalent security (or more security, if implemented in conjunction with IPsec) at a lower cost, and with more configuration options.

Oracle 11g databases are now supported, for what that is worth (we will be using 10g R2 for a bit longer).

I am not going to go though a step-by-step here, but I will note the most significant configuration quirks that either were not documented in the deployment guides, or that were inadequately documented. These settings are necessary if running AX in the “least privilege” mode, instead of the moronic “make all of your service accounts domain admins” mode:

All AX components (except licensing) are all still 32-bit applications. As a result, they require the availability of 32-bit libraries for interacting with external (third party components). As a result, we cannot expect 64-bit Oracle database clients to be of any use. We have developed 32-bit only Oracle InstantClient v11.2.0.1 installers for use with this product.

If installing the license service on a 64-bit host, be aware that EMC has released a new version of the license server specifically for 64-bit computers. You should not use the version that ships with the initial 6.5 release.

The license service has been rewritten since AX 5.4… it now requires client access to TCP port 9251 only. Fortunately, we no longer need to muck with DCOM component security settings to get licensing to work.

After installing the WebAccess.NET components into IIS, be sure to grant the Service Account rights to .NET framework temp files directory (In “%windir%\.NET Framework\v2.xxxxx\.NET Framework Temporary Files” (I think that is the correct path)).

After installing the AX Rendering service, you need to make the following additional changes:

In the properties of the Rendering service (services.msc control panel), you must clear the “Allow Service to Interact with Desktop” option.

You must grant the service account read/write access to the Rendering service installation directory in “%ProgramFiles%\XtenderSolutions”.

After installing the Indexing Server (if you are using it), and before configuration, you must ensure that your Indexing service account has a password that is fewer than 24 characters in length. The configuration utility will not complain that your password is too long, but it will truncate your password before encrypting it for storage, and the service will then fail to start (silently, and without generating any useful log information… aargh!).

Set security for the global impersonation account according to the table on page 210 of the “concepts and planning guide”.

Note that the account does not have to be a local administrator!

However, the security accounts will have to have privileges to the resources accessed by the services (i.e. NTFS filesystems rights, shared folder access).

Rendering Service –

When granting rights to the DX data store, plan ahead. Permissions could take a long time to apply.

Requires Local Security Policy “Replace a Process Level Token” and “Adjust memory quotas for a process” rights. Also, the “Allow service to interact with the desktop” box must be deselected in the “Log On” tab of the Rendering service properties.

WebAccess.NET Services –

Global Account needs only “Log on as a service” Local Security Policy assignment. You can clear out all “legacy” security permissions as they are not needed for WebAccess!

Configure the Login identity of the “ApplicationXtender License Client Components” COM+ application to use the global impersonation account. This component must be shut down to be reconfigured. Details in EMC PowerLink solution esg92864.